Re: VPN, dnsmasq, and private domains

From: Pavel Simerda <psimerda redhat com>
To: Jack Bates <u32lyv nottheoilrig com>
Cc: networkmanager-list gnome org
Subject: Re: VPN, dnsmasq, and private domains
Date: Mon, 24 Jun 2013 14:33:40 -0400 (EDT)

From: "Jack Bates" <u32lyv nottheoilrig com>
To: networkmanager-list gnome org
Sent: Friday, June 21, 2013 10:55:30 PM
Subject: VPN, dnsmasq, and private domains

Hello,

When I connect to my office VPN with NetworkManager and OpenConnect I
have some problems with the office network because I can't resolve some
private domains.

I'm running a fresh install of Ubuntu 13.04 which came with
NetworkManager 0.9.8.0 and OpenConnect 4.07. Out of the box,
NetworkManager comes set up with dnsmasq.

I think my trouble is in nm-dns-dnsmasq.c line 275 and in the
add_ip4_config subroutine:

      /* Use split DNS for VPN configs */
      for (iter = (GSList *) vpn_configs; iter; iter = g_slist_next (iter)) {
              if (NM_IS_IP4_CONFIG (iter->data))
                      add_ip4_config (conf, NM_IP4_CONFIG (iter->data), TRUE);

If I understand the code right, NetworkManager will only use the servers
advertised by the VPN for domains (or "searches") that are advertised by
the VPN,


Correct.

and I suspect in my case the VPN doesn't advertise the private
domains that are causing the problems?


Sounds like that.

Here is the output of "openconnect -s env -v vpn2.gov.bc.ca":

    http://nottheoilrig.com/networkmanager/201306210/stdout

I'm having problems resolving names like "example.bcgov" and I don't see
"bcgov" anywhere in the "openconnect" output.

    1)  Is it possible that the VPN does advertise the "bcgov" private
domain and "openconnect" just isn't printing it?


It should be possible to learn this from NetworkManager openconnect plugin logs. NetworkManager logs can also 
help. By the way, you do not indicate that you are indeed using the NetworkManager plugin to start 
openconnect. Please confirm.

    2)  Otherwise, if "openconnect" is printing all the data from the
VPN, would you say the VPN is misconfigured?


Yes. I would say that, as the domain list is the only way to learn where a specific query should go.

Must a VPN advertise all private domains?


I can't say anything specific to openconnect, here. But generally you cannot expect non-global name 
resolution with split DNS to work properly unless you have a complete list of domains for each list of 
[split] dns servers.

    3)  If the VPN is not misconfigured, how can NetworkManager avoid
these problems? In my case it seems like NetworkManager needs to use the
VPN servers for all DNS traffic?


NetworkManager normally uses VPN-provided name servers for all DNS traffic when you use the VPN for default 
routing. AFAIK you can currently only set the default routing and default DNS together, not separately. If 
you or someone else have a *very* good use case, it might be worth filing a RFE for that.

Cheers,

Pavel

References:
- VPN, dnsmasq, and private domains
  - From: Jack Bates

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]